Are you looking for a site-to-site configuration?
–
baumgartDec 3 '09 at 13:42

sorry not sure what you mean.
–
user13185Dec 3 '09 at 16:07

I don't understand why you want to modify the routing table on the server. If you want the client to have a route through the tunnel to SIP1, that makes sense. Otherwise I'm not sure what you're looking for.
–
baumgartDec 3 '09 at 19:22

I'm looking for a way to make sure any access from Server to Client daemons that listen on CIP1 goes through tunnel.
–
user13185Dec 3 '09 at 19:38

Why not just talk to the client over it's VPN address?
–
larsksDec 3 '09 at 21:06

2 Answers
2

It looks like you might be able to use the client-connect script to do what you want. From the man page:

The script is passed the common name and IP address of
the just-authenticated client as environmental variables
(see environmental variable sec- tion below). The script is
also passed the pathname of a not-yet-created temporary file
as $1 (i.e. the first command line argument), to be used
by the script to pass dynamically generated config file
directives back to OpenVPN.

So, using this script, you should be able to add the necessary route commands to the OpenVPN configuration. There is a corresponding client-disconnect script you can use to tear down the route.

i assume this is typical server-to-server [ rather than dialup-alike ] setup.

on the server side put something as follows:

# first local address assigned to the vpn tunnel, then remote
# [ this is not SIPx/CIPx - it's just private addressing for the tunnel ]
ifconfig 10.255.255.10 10.255.255.9
# here you install a new route on the server whenever vpn is established
# you want to put CIP1/32 routed via vpn ip assigned to the remote end of vpn
route 10.13.0.0 255.255.0.0 10.255.255.9
port somePort
[..]

on the client side:

# put your SIP1 here and some port on which server is configured
remote 213.xxx.xxx.xxx somePort
# again - first is local, second - remote address of vpn tunnel
ifconfig 10.255.255.9 10.255.255.10
# you want to put below SIP1/32 routed via vpn ip from far end of the tunnel
route 10.15.0.0 255.255.0.0 10.255.255.10

you will need to add to those few lines specific to your encryption method. try for starters pre-shared key as described here. it'll be more secure if you use proper tls for production setup.

since you'll inject SIP1/32 [ SIP1 255.255.255.255 in notation used in openvpn ] - your secure route - as soon as vpn is established - will always be chosen for communication to SIP1 [ and vice versa ].
but.. as soon as vpn goes doen - possibly sensitive traffic will flow via untrusted network. which.. you do not want to happen. if you do have to use public SIP1 / CIP1 - make sure firewalls [even the local ones] allow only communication over the tunX devices created by openvpn and do not let any direct traffic on public internet.